| Summary: | WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for script tags with crossorigin attributes | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alex Christensen <achristensen> | ||||
| Component: | New Bugs | Assignee: | Alex Christensen <achristensen> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | cdumez, dbates, ews-watchlist, japhet, rniwa, timothy, webkit-bug-importer, youennf | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Alex Christensen
2020-02-20 15:32:12 PST
Created attachment 391344 [details]
Patch
Comment on attachment 391344 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=391344&action=review > Source/WebCore/loader/CrossOriginAccessControl.cpp:131 > + if (options.mode != FetchOptions::Mode::NoCors) { If the goal is to change the behaviour for scripts only (as seems to indicate the bug title), I believe we should do the change in CachedScriptFetcher. If we want to do this for all loads, maybe we should update the option in CachedResourceLoader instead. Note also that this change is visible from service workers. We do want it for everything, the title just reflects that we found this through scripts. We should change the title, and maybe move this logic to CachedResourceLoader I changed the title. http://trac.webkit.org/r257215 Attempts to move this to CachedResourceLoader failed. The only relevant code in that class that is hit in this test is CachedResourceLoader::requestResource and changing the CORS mode then seems too late because it just times out. |